Computer Systems · Security

CS11 — Tracking Cookies and DOS Attacks

📅 Mon 17 Aug 2026 · P1+P2 (double)
~120 minutes
Learning intentions
Success criteria
Warm up — recap from CS10
Answer from memory · check when done
W1
In what year was the Computer Misuse Act passed into law in the UK?
W2
Which of the following is a criminal offence under the Computer Misuse Act?
W3
What term describes an attempt to trick someone into revealing personal information by pretending to be a trustworthy organisation?

Key vocabulary

Cookie
A small text file stored in a browser by a website to remember information about a user or session
Tracking cookie
A third-party cookie set by an advertising or analytics company to monitor a user's browsing behaviour across multiple websites
Third-party cookie
A cookie set by a domain different from the website currently being visited
Denial of Service (DOS)
An attack that overwhelms a server with requests, making it unavailable to legitimate users
Distributed DOS (DDOS)
A DOS attack launched simultaneously from thousands of different computers, making it much harder to block
Botnet
A network of computers that have been infected with malware and are controlled remotely by an attacker without their owners' knowledge
Zombie computer
An individual infected computer within a botnet, used to send attack traffic without its owner's knowledge
Bandwidth consumption
A type of DOS fault where the attacker sends enough traffic to use up all of a network connection's available capacity
Resource starvation
A type of DOS fault where the attacker exhausts a server's processing power, memory, or connection limits rather than its network bandwidth
GDPR
General Data Protection Regulation — EU/UK law that requires websites to obtain user consent before storing non-essential cookies

Part 1 — Tracking cookies

What is a cookie?

When you visit a website, it can store a small text file called a cookie in your browser. Cookies are used for many legitimate purposes: keeping you logged in, remembering items in a shopping basket, or saving your language preferences. These are called first-party cookies because they are set by the website you are actually visiting.

A third-party cookie is different — it is set not by the site you are on, but by another organisation whose code appears on that page. Advertising networks and analytics companies embed code on thousands of websites, which allows them to set cookies in your browser whenever you visit any of those sites.

How tracking cookies follow you across websites

When an advertising company's code runs on a page, it checks whether you already have one of its cookies. If you do not, it creates one with a unique identifier — a random ID code that identifies your browser. If you already have the cookie, it reads the ID and records which website you just visited, linking that visit to your ID.

Because the same advertising company's code appears on thousands of websites, it can build up a detailed picture of where you browse. This is a tracking cookie — a cookie whose purpose is not to make the current website work, but to track your behaviour across many different sites.

What happens to the data?

Over time, a tracking profile associated with your unique ID might include: which news topics you read, which products you browsed, which travel destinations you searched for, and which health conditions you looked up. This profile is used to serve you targeted advertisements — adverts that match your apparent interests. The profile may also be sold to other companies.

Privacy implications

Tracking cookies raise significant privacy concerns. Users are often unaware their browsing behaviour is being monitored. The data collected can reveal sensitive information — health concerns, financial difficulties, political views — without users ever consenting to share it. Under the UK GDPR, websites must ask for consent before storing non-essential cookies, which is why cookie banners appear on most websites. However, many users click "Accept All" without reading the options, giving broad consent without intending to.

Most modern browsers allow users to block third-party cookies. Browsing in private or incognito mode prevents cookies from persisting after the session ends, limiting tracking — though it does not make you invisible to the websites you visit.

Part 2 — Denial of Service attacks

What is a DOS attack?

Every web server has a limit on how many requests it can handle at once. It has a finite amount of processing power, memory, and network bandwidth. A Denial of Service (DOS) attack deliberately exploits this limit by flooding the server with far more requests than it can process.

When the server is overwhelmed, it cannot respond to legitimate users. The service becomes unavailable — the website goes down, error messages appear, or connections time out. The attacker has not broken into the system or stolen data; they have simply rendered it inaccessible.

How a DOS attack works

In a simple DOS attack, a single computer belonging to the attacker sends an extremely high volume of requests — potentially thousands per second — to the target server. The server must attempt to process each one. As its resources are exhausted, it slows down and eventually stops responding to legitimate requests entirely.

Symptoms of a DOS attack

From a user's point of view, a DOS attack shows up as two main symptoms: slow performance (pages take far longer than normal to load, or load only partially) and inability to access the service at all (the connection times out, or an error page is shown). Neither symptom on its own proves an attack is happening — ordinary high demand can look similar — but a sudden, sustained combination of both is a strong indicator.

Distributed DOS (DDOS) attacks

A single attacker's computer has limited bandwidth, so a server with sufficient capacity can potentially handle a simple DOS attack by filtering or rate-limiting that source. A Distributed DOS (DDOS) attack overcomes this limitation by using a botnet — a network of thousands of infected computers, each sending requests simultaneously.

Each computer in the botnet (called a zombie) sends requests that individually look no different from normal traffic. But thousands of zombies together generate a combined volume of traffic that overwhelms even large, well-resourced servers. Because the requests come from thousands of different IP addresses, simply blocking one address does nothing — there are thousands more.

The owners of zombie computers are typically unaware their machine is part of an attack. The malware that recruits them usually runs silently in the background.

Type of fault

Not every DOS attack overwhelms a server in the same way. The Higher course names three specific types of fault:

Effects of a DOS or DDOS attack

The effects of an attack are the disruption caused to users and the business itself:

Costs of a DOS or DDOS attack

Separate from the disruption itself, an attack has a financial cost to the organisation:

Reasons for DOS attacks

Attackers launch DOS attacks for different underlying reasons:

Worked examples

Example 1 — How a tracking cookie builds an advertising profile
1
A user visits a travel news website. The page loads adverts from AdCo, a large advertising network. AdCo's code runs and checks: does this browser have an AdCo cookie? No — so AdCo sets a cookie containing a unique ID (e.g., uid=A7F3B) and records: "A7F3B visited a travel site."
2
The same user then visits a health information website — which also uses AdCo adverts. AdCo's code reads the existing cookie: "This is A7F3B." It records: "A7F3B also visited a health website."
3
Next, the user visits a sports retailer, also an AdCo client. AdCo reads the same cookie and records: "A7F3B visited a sports shop."
4
AdCo now has a profile for user A7F3B: interested in travel, health, and sport. On the next site they visit, AdCo serves adverts for travel insurance, health supplements, and running shoes — all tailored to those interests.
Key point: The user never gave AdCo their name or email. But AdCo built a profile by silently linking visits across websites using the same cookie ID.

The step-by-step tracking process can be shown as a pipeline:

Step 1
First visit AdCo sets cookie uid=A7F3B on user's browser
↓ User visits another site also using AdCo adverts
Step 2
Recognised AdCo reads existing cookie — identifies returning user A7F3B
↓ Each site visit adds to the profile
Step 3
Profile built AdCo links visits across sites — builds interest profile
↓ Profile is used commercially
Step 4
Targeted ads User sees personalised adverts based on tracked interests
Example 2 — How a DDOS attack unfolds against an online retailer
1
Setup: An attacker has previously infected thousands of computers with malware, creating a botnet. Each zombie computer awaits instructions.
2
Launch: The attacker sends a command to the botnet: "Send requests to shop.example.com." All 10,000 zombie computers simultaneously begin sending connection requests to the retailer's server.
3
Overwhelm: The server receives far more requests per second than its hardware and network connection can handle. CPU usage hits 100%, memory fills, bandwidth is saturated.
4
Effect on users: Real customers visiting the shop get timeout errors or cannot connect. The website is effectively offline for legitimate users.
5
Difficulty defending: The IT team cannot block individual IP addresses — there are 10,000 sources. Even if they block 1,000, the remaining 9,000 are still enough to overwhelm the server.
Business impact: The retailer loses all online revenue for the duration of the attack and may lose customer trust — even if the attack lasts only hours.
Example 3 — DOS vs DDOS: key differences
1
Source of traffic: A DOS attack comes from a single machine controlled by the attacker. A DDOS attack comes from thousands of machines (a botnet), often spread across many countries.
2
Volume: One machine has limited bandwidth. Ten thousand machines together can generate traffic volumes that overwhelm even enterprise-grade servers with redundant infrastructure.
3
Defence: A simple DOS can sometimes be blocked by adding a firewall rule to drop all traffic from the attacker's IP address. A DDOS cannot be stopped this way — blocking one IP still leaves thousands of others sending traffic.
Summary: Both attacks aim to make a service unavailable. DDOS is far more powerful and much harder to defend against because the attack is distributed across many sources with different IP addresses.
Same goal — very different scale and defence challenge Denial of Service
Simple DOS attack 1 source One attacker machine.
Limited bandwidth.
Can be blocked by filtering one IP address.
Distributed DDOS attack 1,000s of sources Botnet of zombie computers.
Massive combined traffic.
Cannot be blocked by IP — thousands of different addresses.
Now you try
A user visits a recipe website, then a sports website, then a travel website. All three use adverts from the same advertising company (AdCo). Describe, in steps, how AdCo uses tracking cookies to build a profile of this user across the three visits.
⚠️ Common mistakes — examiner feedback
📝 Exam tip

These two topics appear regularly in Higher Computing past papers, often as 2-mark "describe how" questions. The key words examiners look for:

For a DDOS question, always contrast it with a simple DOS to show you understand the difference — this is what earns the second mark.

DOS questions are also asked using the SQA's five separate categories — symptoms, effects, costs, type of fault, and reasons. If a question asks you to "name the type of fault", the only three valid answers are bandwidth consumption, resource starvation, and Domain Name Service (DNS) — do not answer with a symptom or effect instead.

Task Set A

Task Set A — Higher core
Work through all questions. Check when done.
A1
What does the abbreviation DOS stand for in the context of cybersecurity?
A2
Which of the following best describes a tracking cookie?
A3
What term describes a network of infected computers used to carry out a DDOS attack?
A4
A DOS attack is launched against a popular streaming service. What is the most likely immediate effect on users?
A5 — past paper style (2 marks)
Describe how a tracking cookie is used to build an advertising profile of a user.
A6 — past paper style (2 marks)
Describe two effects that a successful DOS attack could have on an online shopping business.
A7 — past paper style (2 marks)
Explain why a DDOS attack is more difficult to defend against than a simple DOS attack.
A8
A user notices that adverts on many different websites seem to relate to products they searched for earlier in the week. Which technology is most likely responsible?
A9
Under which regulation must UK websites ask for user consent before storing non-essential tracking cookies?
A10 — past paper style (2 marks)
Describe how a denial of service (DOS) attack makes a website unavailable to users.
A11
Which type of DOS fault occurs when an attacker's traffic simply uses up all of a network connection's available capacity, so no other traffic can get through?
A12 — past paper style (3 marks)
An online retailer's website becomes extremely slow and then completely unreachable after receiving an unusually high volume of network traffic that uses up all of its available bandwidth. State the symptom experienced by users, name the type of fault involved, and suggest one possible reason for the attack.
✅ Higher checkpoint — A5 (tracking cookies), A7 (DDOS vs DOS), A10 (how DOS works), and A12 (symptom/type of fault/reason together) are the most exam-relevant written questions. Confident on all four = well prepared for prelim and SQA exam.

Task Set B

Task Set B — Extension · Beyond the specification
B1
Research shows that most users click "Accept All" on cookie consent banners without reading them. Explain why this is a privacy concern, and suggest one measure that governments or browser developers could take to better protect users.
B2
Many computers involved in DDOS attacks are participating without their owners' knowledge. Explain how a computer might become part of a botnet, and describe two steps the computer's owner could take to reduce this risk.
B3
A company's IT manager says they can defend against a DDOS attack by using a firewall to block the attacking IP addresses. Explain why this approach is unlikely to be effective.
📁 File this in OneNote under:
Higher Computing Science → Computer Systems → CS11
📌 Teacher notes — not for pupils

Timing (120 min double):
5 min — warm up independently (CS10 recap), circulate
5 min — key vocabulary as a class
15 min — tracking cookies: walk through Example 1 together, draw the flow on the board
10 min — DOS attacks: key concept introduction
10 min — DDOS: worked examples 2 and 3, use the clash-box visual to contrast DOS vs DDOS
5 min — "Now you try" (tracking cookie profile question) independently, then reveal
5 min — common mistakes — read through together
25 min — Task Set A (independent work)
10 min — cold call review of A5, A7, A10 (the written questions most likely to appear in the exam)
10 min — Task Set B for those who finish early

Watch for: pupils confusing DOS and DDOS (test this explicitly in cold call — "how many sources?"); pupils saying a DOS attack "hacks" the server; pupils giving only one effect in A6 when the question asks for two.

Tracking cookies discussion hook: Ask pupils: "Has anyone noticed adverts following them around the internet after they searched for something? How do you think that works?" Almost every pupil will have experienced this. Use their examples to introduce the mechanism before the worked example.

GDPR note: A9 (GDPR) is a known 1-mark question in past papers. Pupils must be able to name the regulation, not just describe it.